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In oil and gas industry, the proper design, selection, and 
implementation of process control systems, shutdown, and 
instrumentation must ensure maximum possible safety of 
personnel, assets, and the environment, in addition to achiev- 
ing maximum availability of the plant. This is a challenge, 
and more so in gas production and processing plants. For 
refineries and petro-chemical, any shutdown due to malfunc- 
tion for various reasons, including failure of instrumentation 
and controls components also need to be avoided. But it usu- 
ally has comparatively lesser repercussions since there are 
tanks upstream, intermediate, and downstream of the plant. 
However for gas producers and gas terminals, this could, in 
short course of time lead to shutdown of upstream wells and 
also leave downstream customers without fuel for their plants 
thus leading to forced shutdowns. 

However, more reliability and availability usually come 
at an increased cost, though not necessarily in the same pro- 
portion. Every project needs to evaluate the cost benefit and 
decide on optimum levels for their needs and priorities. 

An exploration and production company in India has 
recently overcome this challenge in the process of developing 
subsea deep-water facilities and gas-processing plant, and is 
now producing sweet gas and transporting it through pipe- 
lines to number of downstream industries. 

This article summarizes how this challenge was suc- 
cessfully met. It is recommended that the suggestions men- 
tioned herein be considered thoroughly by the readers before 
attempting to use them. 


SYSTEM ARCHITECTURE 

The subsea system on the offshore platform is an integrated 
control system comprising of 

1. A dedicated redundant computer systems for subsea 
control system (SCS) 

2. A distributed control system (DCS) 


As depicted in Figure 59.1, the SCS monitors and controls 
the functions of the subsea wells along with their ancillaries 
on the topside of the offshore platform. It is tightly integrated 
with the DCS by object linking and embedding (OLE) for 
process control (OPC), data access (DA), and OPC alarm and 
event (AE). 

Also as depicted in Figure 59.2, the subsea system is inte- 
grated with the emergency shutdown system (ESD) and fire 
and gas detection system (FGS) located on the offshore plat- 
form itself. 

Further, the DCS and FGS on the platform are integrated 
on the onshore terminal (OT) about +20 km away through 
redundant fiber-optic umbilical laid on the seawater bed. 

There is also a backup to the redundant umbilical in 
the form of microwave communication system. This pro- 
vides capability of uninterrupted monitoring and control 
of the subsea wells, and platform equipment from the OT. 
Microwave path covers DCS, ESD, FGS, Business local area 
network (LAN), and closed circuit television (CCTV) on the 
platform. 

Hence, the subsea wells and ancillaries can be monitored 
and controlled by the DCS and FGS operator workstations 
on the OT. Software logic has been so implemented that only 
one operating location, either on the offshore platform or the 
OT, can have control of the systems at any given time. 

Thus, centralized monitoring and control of all wells, 
the high-integrity pressure protection system (HIPPS), and 
the mono ethylene glycol (MEG) injection and regeneration 
trains, and gas transportation are all being done through the 
DCS situated at the centralized control room (CCR) located 
on the onshore gas terminal. This DCS system has a very 
large data exchange of approximately 100,000 tags. 

Further, the CCR has a large video wall for “monitoring 
at a glance” of the complete plant including subsea, fire and 
gas system, and all CCTVs installed on the facilities. Also, 
abnormal situation management graphics are used to help 
the operations to react more quickly and more accurately 
to any operational emergency such as the power failure and 
trips. 
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Subsea system network. 
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FIG. 59.2 

Integrated control system architecture block diagram. 


A complete backup DCS operator console is also pro- 
vided in separate building close by. This can also monitor 
and control the complete OT and subsea system in case one 
is unable to enter the CCR for any reason. Additionally, a 
control center in the company head office can monitor all the 
data and plant graphics on a real-time basis. 


Control Room Design 

Operators usually prefer the complete facilities to be moni- 
tored and controlled at the operator stations from one sin- 
gle CCR. In this respect, the OISD-STANDARD-163 for 
“Process Control Room Safety” — 2001 has been taken as 
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one of the guiding documents used while designing the con- 
trol building. Also ensured better reliability one considering 
the following: 

• Heating, ventilation, and air conditioning (HVAC) 
system design basis to be such that it can handle 
inlet air to G3 classification environment (as per ISA 
S71.04). 

• Cables entry to the control room using main cable 
transit blocks that are water and vapor tight. 

CONTROL SYSTEM DESIGN 

Process systems consist of manipulated variables, distur- 
bance, and controlled variables. As plant instrumentation 
and control systems have become more complex and need to 
be closely integrated with third-party applications and also 
with business networks, their 24 x 7 availability and reliabil- 
ity has emerged as a major requirement. Any unplanned pro- 
cess disruptions resulting from control system issues are not 
acceptable by any means. 

In order to systematically check the design for required 
reliability and availability, and to correct any issue found 
during this check, the following steps are generally followed 
by similar industries as explained below. 

Hazard and Operability Study 

Once process and instrument drawings (P&ID) are ready, a 
hazard and operability study (HAZOP) workshop is carried 
out to identify the hazards to personnel, assets, and environ- 
ment in a plant, with the following objectives: 

• To identify undesirable consequences of deviations 
from normal processes or operating conditions 

• To evaluate adequacy of the existing design and 
instrumentation with respect to safety and operations 
in order to prevent or minimize the consequence of 
hazards 

• To identify if any additional controls or other mea- 
sures are needed to prevent or minimize the conse- 
quences as necessary 

This interactive workshop is generally chaired by a knowl- 
edgeable and reputed third party, and is attended by process, 
instrumentation, and health, safety, environment, and fire 
(HSEF) engineers of both the consultant and the client. 

Methodology is based on all the process parameters 
like flow, temperature, pressure, and level along with devia- 
tion guide words like More, No, Less, As Well As, Part of, 
Reverse, Other Than, etc. 

Data generally needed for this study is 

• P&ID, layouts, operating manual 

• Cause and effects 


• Instruments sequence/logic diagram 

• Alarm, trip settings 

The agreed recommendations of this workshop, like 
adding more alarms/instrumentation, or providing proper 
approaches to valves, or making and following Standard 
operating procedure, are then incorporated into the design. 

Safety Integrity Level 

Once all necessary HAZOP actions are incorporated in the 
P&IDs and cause and effects diagrams, it is followed by a 
safety integrity level (SIL) study of safety instrumented func- 
tions (SIFs). This study is based on the International Electro 
technical Commission (IEC) Standard 61511. 

SIL study is a systematic approach to identify and address 
the risks in the design to personnel, assets, and environment 
on failure of a protective loop. The purpose of the study is to 
define the SIL level that is required for mitigating the effects 
of this failure through reliable instrumented protective sys- 
tems. It helps in deciding which instrumented functions need 
more than the basic level of reliability, and if so, how much 
more reliability is required? 

The determination is made by risk analysis. It quantifies 
the required performance of an instrumented function. It is 
well accepted that a control system, like a DCS, may not be 
reliable enough to provide an acceptable level of safety in 
every cases. Therefore, most process plants have a separate 
safety instrumented system (SIS) or ESD, which are more 
stringently designed and monitored. 

An SIS is a set of components such as sensors, logic solv- 
ers, and final control elements designed for the purpose of 
taking the process to a safe state when predetermined param- 
eters or conditions are violated. 

Within the SIS, there are also levels of reliability for indi- 
vidual loops. These levels are the SILs which are numeri- 
cally defined in IEC 61511. SIL 1 is more reliable than a basic 
process control system, like the DCS. SIL 4 is the maximum 
SIF reliability performance allowed by IEC 61511. In order 
to implement SIFs which need to achieve a SIL level of 2 
or above, it will require additional instrumentation in some 
forms of redundant configurations. 

Table 59.1 summarizes the various SIL levels with the 
availability and probability of failure on demand (PFD) 
figures. 


TABLE 59.1 

SIL Availability and Probability to Fail in Demand 

SIL 


Availability 
Required (%) 

Probability to 
Fail on Demand 


4 

>99.99 

E-005 to <E-004 

IEC 61511 

3 

99.90-99.99 

E-004 to <E-003 


2 

99.00-99.90 

E-003 to <E-002 


1 

90.00-99.00 

E-002 to <E-001 
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Calibrated risk graph method of IEC 61511 part 3 
Annex D is generally the preferred methodology. As per 
some experts, the calibrated risk graph method is considered 
a useful method for quickly screening out low-risk events 
with SIFs requiring SIL levels of 2 or less followed by a more 
rigorous method for those SIFs having a SIL rating greater 
than 2. For such SIFs, a more quantitative analysis using layer 
of protection analysis (LOPA) as described in IEC 61511-3 
Annex F is recommended to confirm that the higher integ- 
rity SIF is warranted and to accordingly justify the added 
instrumentation expenses. However, if this expense of added 
instrumentation is not a major concern, LOPA can usually be 
dispensed with. 

This workshop is generally chaired by a knowledge- 
able reputed third party and is attended by process, HSEF, 
and instrumentation engineers of the consultant and the cli- 
ent. The agreed recommendations of this workshop, like 
adding more alarms/instrumentation, or providing proper 
approaches to valves, or making and following the standard 
operating procedures, are then incorporated into the design. 

The risk graph needs to be calibrated as per IEC 611511-3 
Table D2 for every project by the group for risk parameters 
as mentioned below: 

1. Consequences (C): This is the figure of number of 
people present when the area is exposed to a hazard 
multiplied by the vulnerability. 

2. Occupancy (F): This is the probability of exposure of 
individuals in a hazardous event. 

3. Probability (P) of avoiding hazard: This is an indica- 
tive of methods of alerts and preventive actions for 
minimizing hazard. 


4. Demand rate ( W ): This indicates the number of times 
per year a hazard event could occur in the absence 
of safety-integrated function. There needs to be an 
agreement on the number of times the event can take 
place in the absence of instrumented safety functions 
in order to include additional mitigative measures. 
The model needs extra inputs if the demand rate is 
more than 10 per year. 

Figure 59.3 illustrates an example for risk graph for per- 
sonnel safety. Similar graphs are also used for assets com- 
mercial integrity level (CIL) and for environmental integrity 
level (EIL) in risk consequences analysis. 

Taking an example on usage of Figure 59.3, one can pro- 
ceed to arrive with following steps at the target SIL level: 

1. Consequence (C): Potential extent of human injury 
if the protective function fails on demand — Consider 
one casualty, hence C b 

2. Occupancy — Probability of exposure (F): Duration of 
presence of person/s in danger zone — Consider large 
probability of persons present — assume 90%, hence F b 

3. Possibility to avoid hazard (P): assume 0%, hence P b 

4. Demand rate/probability of occurrence ( W): Frequency 
of demand; consider once in 10 years, hence W2 

Hence, following these steps, the required protection is deter- 
mined as SIL 2. 

If the engineering of the DCS/ESD systems are not in 
advanced design stages, one cost optimizing benefit of this 
SIL study could be that wherever we do not get even a “1” on 
either SIL/EIL/CIL, convert it to DCS trip rather than ESD 
trip. ESD system is costlier than DCS. 
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Methodology for this exercise is as follows: 

1. Select a SIF 

2. Identify hazards and hazardous events that the SIF 
protects against 

3. Determine the scenarios leading to hazardous events 
and identify all initiating causes 

4. Determine the risks associated with each initiating 
cause for each hazardous event 

5. Determine the demand rate in absence of the SIF 

6. Determine safety risk using the matrix — an example 
has already been given 

7. Determine the environmental risk in a similar manner 

8 . Determine the commercial risk (CIL) in a similar manner 

9. Determine overall integrity level for the SIF, which is 
the maximum number of the three above 

10. Determine the risk reduction needed 

11. Determine the safety functions needed to achieve the 
risk reduction 

12. Allocate the safety functions to protection layers 

SIL Verification 

S1L verification is carried out to confirm that reliabilities of the 
procured systems are as designed. It basically determines if the 
calculated SIL of the SIF meets the target SIL in terms of PFD. 

It is carried out once all instrumentation and systems 
are ordered and PFD values of all items are available. PFD 
data can be taken from vendor information or from Offshore 
Reliability Data (OREADA) handbook. 

SIL verification calculations can be performed using 
any commercial software such as SILver (which is available 
under license from exida.com) or similar. 

Control System Risk Assessment 

Control system risk assessment workshop needs to be con- 
ducted after the control system design has been finalized. The 
purpose of the workshop is to review risks to the plant opera- 
tions due to loss of functionality of control systems and associ- 
ated data networks for the project. What SIL is to shutdown 
functions, risk assessment is the same as the control functions. 
As the control and monitoring facilities are also important to 
the safe and efficient operation of the facilities, this assessment 
is to ascertain the impact to operations in the event of loss of the 
data network and control facilities, either wholly or partially. 
Generally the following facilities are assessed for any risks: 

• Data highway networks 

• DCS control system hardware and software 

• Interface with ESD and critical third-party packages 

This workshop generally comprises of the control sys- 
tem supplier expert/s, and process, instrumentation, HSEF 
personnel of the client and the consultant, and is chaired 
by a third-party expert. The group identifies why and how 
events could prevent, or degrade the expected operation of 


the control system. This analysis covers the range of all pos- 
sible potential consequences and how these could occur. For 
example, it covers not only the risks due to failure of compo- 
nents of the DCS and its network, it also covers risk involved 
due to failure of HVAC, flooding in equipment room(s), late 
delivery of hardware, commissioning issues, ambient chemi- 
cal contaminants, natural calamities like earthquakes, unau- 
thorized access to control system, etc. 

The group determines severity of consequences of any 
of above mentioned risks and also likelihood of failures and 
hence the level of risks. The consequences cover affects on 
people, assets, environment, and company reputation. The 
likelihood is compared against the pre-established criteria 
like if such scenarios are possible and have they ever hap- 
pened in any industry, or similar industry, or even in own 
company earlier. Based on this discussion, decisions are 
made about the extent, the nature of treatments required, and 
about the severity being low, medium, or high. 

These are then to be followed up and implemented. 
Figure 59.4 shows a risk map. This is prepared before and 
also after the mitigating treatment. The goal of the treatment 
is to reduce the severity of risk to as low as possible. 

SELECTION OF CONTROL SYSTEMS 

It is crucial to select the most suitable control system for the 
plant. The control system must be proven and still have at 
least 15-20 years of life. It must have an open architecture at 
every possible level. It must be able to withstand at least envi- 
ronment classification G3 as per ISA S71.04. In this respects, 
the following advices on the processes and procedures for the 
design engineers may be found useful. 

As a starting point, attempts must be made to provide 
a single redundant integrated DCS for the complete plant. 
However, this will be most practical only if the plant is a 
green site. Limitation and maximum number of worksta- 
tions, servers, controllers, and packages of the network must 
be checked. The future expansions must be factored in and 
the limits of these possible extensions must be determined. 
The system must have modular and scalable design charac- 
teristics thus providing easy maintenance and improvements. 

Design it with redundancies to take care of failures and 
keep plant availability high; target for 99.9% availability. 
Redundancies for power supplies, CPUs, controllers, commu- 
nication cards, network switches, and communication cables 
must be provided. It is helpful to use redundant array of inde- 
pendent disks (RAID) 5 for engineering and history servers 
and RAID-1 for other servers. It must be ensured that no single 
point of failure (except at the I/O level) will trip the process. 

Check processing speeds. Nowadays, 1 GB backbone with 
100 Mbps uploads is quite common. Majority of the loops gen- 
erally need execution time of approximately 1000 ms. However, 
some specific processes could be still faster say, 250 ms. 
However, for system sizing purposes during preliminary engi- 
neering and procurement phases, consider a value of 500 ms. 
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FIG. 59.4 

Risk assessment matrix example. 


It is very important that it should be capable of provid- 
ing standard interface protocols such as OPC, MODBUS 
TCPI/P, serial interface, HART, Foundation Fieldbus (FF), 
etc., to field devices and to third-party packages. As far as 
possible ensure that the interfacing is carried on the control- 
ler level whenever possible. 

The DCS system must integrate tightly with ESD sys- 
tem and with other third-party package programmable logic 
controllers (PLCs) via redundant connections to get a single 
window of the plant to the operator. 

In order to have capability of effective trouble shooting 
and analyzing, select the system such that it provides the 
following: 

• Archive able history for at least 6 months. It must have 
sub second stamping capabilities. 

• Sequence of events (SOEs) for a complex package. 

• Global positioning system for time synchronizing of 
the control system with all systems and packages con- 
nected on the network. 

• Alarm management system designed, procured, and 
managed as per EEMUA publication 191. Ensure 
that only those alarms are configured which will 
invite an action; otherwise they will load the operator 
unnecessarily. 

Ensure the control network is fully separate from the 
plant interface network (PIN). This PIN is generally a TCPI/P 
100/1000 Mbps network. On the PIN, one can run the alarm 
management, asset management/computerized maintenance 
management system. Historian, and also connect the busi- 
ness LAN for management information systems and system 
applications and products (SAPs). 


Ensure that diagnostic tools to monitor the health of 
instruments and control systems are in-built into the system. 
The control system must have the capability of performance 
monitoring for the processors, and the network from response 
and loadings points of view. 

Fieldbus diagnostic modules must be integrated for phys- 
ical layer diagnostics. Surge protectors must be installed to 
prevent transients. 

In the design, a document server should be connected on 
the network so that the operator can access the P&IDs, cause 
and effects, datasheets, manuals, and other documents from 
the workstation. 

Security of control system and control network carries 
the paramount importance. The business LAN must be con- 
nected to PIN via a firewall only in order to protect the PIN 
and the control networks from unauthorized accesses and 
from viruses. Also disable all pen drives, office applications, 
and games on these workstations. Do not allow office PCs, 
laptops to be installed and used on the DCS consoles. 

All offline users who need real-time data from control 
system must connect via the firewall only. Provide web server 
access to technologists and operating heads for remote moni- 
toring. They can “view only” the plant graphics and data on a 
real-time basis from their desks without troubling the operat- 
ing staff. 

Have a similar but smaller version of all the main sys- 
tems (DCS, ESD, and FGS) setup in the workshop. This 
will be used for any testing of new software patches before 
loading onto the live system. During life cycle of the control 
system there can be expected to be many software upgrades 
and modifications needing frequent network upgrades and 
thus software patch installations. These can be tested on this 
offline system. Since this system is always kept “ON,” it’s 
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“tested” parts can be used during any emergency spare part 
requirement in the plant. Furthermore, the system can be 
used for any third-party interface testing. Last but not least, it 
can be used for training for site personnel. 

Ensure the vendors provide remote monitoring services 
so that in case of any extreme problem, even if local vendor 
engineer cannot rectify the fault, the expert can log into the 
system remotely (with permissions) to check the system and 
rectify the problem. 

It is recommended that for complex plants, an offline 
operator training simulator is procured and commissioned as 
soon as possible. The hardware platform could either be the 
offline DCS system mentioned above or another system pack- 
age. However, to reduce time and costs it would be beneficial 
to ensure that the necessary DCS files of graphics, function 
blocks, and logics can be easily loaded into the simulator. 
The simulator is of course required to train the operators in 
proper monitoring and control of the plant. However, it has 
an added advantage of giving feedback to the DCS imple- 
menting engineers during loop and logic checks if some cor- 
rections are required in logic, especially in sequential logics 
and timing settings. 

CONTROL OF THIRD-PARTY PACKAGES 

For most of the third-party mechanical packages such as 
turbine generators, gas compressors, metering systems, the 
control and shutdown functions are usually implemented in 
the vendor supplied PLCs dedicated for the package rather 
than for the DCS. This is basically due to following reasons: 

• Vendor control and protection system is best left to the 
vendor from point of view of expertise, guarantees, 
and performances. 

• The complete system can be tested at vendor premises 
along with the packages. 

• It can be commissioned at site even if the main control 
system, the DCS, is not quite ready before the package 
is required to run. 

Standardize the PLC type and manufacturer for all pack- 
ages in the project for benefit of maintenance, training, and 
lower spare parts inventory. 

The requirements for a reliable control system are as 
follows: 

• The PLC packages should be able to monitor, control, 
and protect without being dependent on any external 
control systems. 

• Interfaces the PLC packages for communicating with 
the plant DCS and ESD systems so that the package 
equipment can be monitored, and if possible and if 
required, even controlled in supervisory mode from 
the DCS system, besides providing a common window 
to the operator monitoring. 


• A redundant Modbus/OPC-based communication link 
via dedicated redundant communications modules 
with the DCS which will enable signal transmission 
between package PLC and DCS including all monitor- 
ing and status signals. However, few selected number 
of critical control signals, shutdown signals, and oper- 
ator commands to be hardwired from the DCS, ESD, 
FGS, and motor control center systems to the package 
PLC and vice-versa. 

• The PLC package based panels shall have the follow- 
ing minimum level of redundancy: 

• Dual processor 

• Dual communication system 

• Dual power supply units from UPS 

• It is important to have text description with every lad- 
der in the logic. 

SIS OR ESD IMPLEMENTATION 

The SIS, also called as the ESD, should be specified, man- 
ufactured, and designed in accordance with IEC 61508 or 

similar standard. The minimum requirements are as follows: 

1. Failsafe and reliable with TUV certification 
(Technischer Uberwachungsverein — German body, 
translates to Technical Inspection Agency). 

2. Proven. 

3. SIL rated as required. 

4. Redundancy in CPU, power, communications, and 
critical input output modules. 

5. For non failsafe devices use supervised digital outputs. 

6. All plant shutdowns must be 2oo3 logics. 

7. All unit shutdowns having SIL/EIL/CIL 2 or more to 
be considered as 2oo3 logic. 

8. Avoid 2oo2 logic. However, if costs forbid, use them 
along with a deviation alarm between the two. 

9. Where single ESD trip is used for non-critical appli- 
cations, have a deviation alarm with respective DCS 
transmitter. 

10. Ensure that redundant devices are connected to differ- 
ent modules in the shutdown system to avoid a single 
point of failure. 

1 1 . All trips must have a pre-alarm from another transmitter. 

12. All commands to or from ESD system should be 
hardwired. 

13. Target availability of ESD system to minimum of 
99.99%. 


PARTIAL STROKE TEST 

In spite of best and most reliable SIS, unreliability usually 
comes from the shutdown valves. That is why these account 
for nearly 50% of failures in the loop. One of the reasons is 
because they typically operate in one position for months and 
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Typical PST implementation. 

maybe years and only move upon an emergency. Without any 
movement in the position of the valve, unreliability inher- 
ently increases and there is a concern of the valve availability 
upon an actual demand condition. 

This can be overcome by frequent testing of the move- 
ment of the valve. We need to move the valve to say 10%-15% 
closure and open it as soon as possible to avoid disruption 
to the operations. This is achieved by doing partial stroke 
tests (PSTs) using smart positioners. The minimum number 
of times the valves need to be stroked in a year is dictated by 
the S1L calculations. 

The PST allows the positioner to perform a valve signa- 
ture test while the instrument is in service and operational. 
It is able to exercise and test the ESD valve in order to verify 
that it will operate when commanded. It allows to partially 
stroking the valve while continually monitoring the shut- 
down signal. While the test is in progress, in case a shutdown 
demand arises, the test is automatically aborted and the valve 
moves to the commanded position. A typical PST implemen- 
tation is shown in Figure 59.5. 

In addition to testing the valve assembly, the solenoid 
valve (SOV), which is connected between the digital valve 
controller and the valve actuator, also needs to be tested. This 
SOV carries out the action of tripping the shutdown valve in 
the event of a demand. It is tested using the functionalities of 
the smart positioner and the micro-pulse from the ESD sys- 
tem. This test confirms that both the coil and plunger are in 
a condition to respond in the event of a demand by capturing 
the momentary dip in pneumatic pressure due to venting of 
actuator pressure through the solenoid exhaust port. 

FIRE AND GAS DETECTION SYSTEM 

There is a need for a reliable FGS to ensure detection of a 
hazardous situation, to provide sufficient and meaning full 
information to operators, and if required, to initiate safe 
shutdown, while also ensuring minimal spurious alarms and 
shutdowns. 


The system generally interfaces with the following: 

• ESD and DCS systems to provide alarms, displays, 
control, and shutdown actions 

• Public address/general alarm system for plant-wide 
announcement of the alarms using tone and voice 

• CCTV system so that on getting input from the fire 
detection system, the camera automatically pans to the 
point of fire, smoke, or gas detected 

• Access control systems so that the latter can be auto- 
matically disabled incase of any hazard detection 

• Fire suppression systems, like FM200, which are used 
for important and unmanned rooms like the server 
rooms 

The detection of fire or gas in the plant area is generally 
realized by means of combustible gas detectors, flame detec- 
tors, fusible plug loops, and heat sensors. A number of break 
glass manual call points are also provided at strategic loca- 
tions in the plant for initiating manual fire alarms. Flashing 
strobe lights and sounders are provided at strategic locations 
to indicate detection of fire or gas. 

The manned buildings and electrical switch gear rooms 
are provided with suitable smoke detection systems, and 
manual break glass stations. 

Most of these FGS nowadays also take inputs from the 
wind speed and direction measuring systems so that HSEF 
and operators can direct the evacuation when needed. 

The process plant and building fire and gas systems are both 
integrated to provide a common display to operations room, fire 
and safety control room, radio room, and security control room. 

USING FOUNDATION FIELDBUS 

In conventional analog installations, two wires carry a 
4-20 m A current signals to and from the field areas that rep- 
resents the process variables from a transmitter or to a con- 
trol valves. 
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The highway addressable remote transducer (HART) pro- 
tocol is the global standard for sending and receiving digital 
information across analog wires between smart devices and 
control or monitoring host systems. A host can be any soft- 
ware application from an engineer’s hand-held device or lap- 
top computers to plant process controls, asset management, 
and safety systems. It is thus a 4-20 mA signal superimposed 
with digital communication signals for more functionality 
including diagnostics. 

FF is an all-digital, two-way multidrop communication 
link among multiple devices and host-control systems. In FF, 
the wire -pair is called a network. Being a network, it can 
carry many process variables and other information. It has 
the capacity to distribute the control application across the 
network and the control algorithm can be executed in the 
field devices. 

The physical layer of FF is a HI bus having a data trans- 
mission speed of 31.25 kbps and is defined in IEC61 158-2 
and ISA-S50.02 fieldbus standards. It interconnects “field” 
equipment such as sensors, actuators, and host I/Os. The 
high-speed Ethernet bus (100 Mb/s) provides integration of 
high-speed controllers (such as PLCs), HI subsystems, data 
servers, and workstations. 

Loop execution time is generally between 500 and 1.2 ms, 
based on the loop requirement. 

One advantage over conventional analog instrumentation 
is the reduction of field cabling, marshalling panels, thereby 
also leading to reduction of equipment room size and HVAC 
requirement. It also provides increased information to opera- 
tors and engineers. 

However, correct implementation of FF cabling and ter- 
mination is very vital. If not done correctly, FF signal will 
be compromised and most likely will not work since there 
would be noise, crosstalk, and consequent signal quality 
issues. Noise on the signal can come from crosstalk of the 
digital signal from one to the other adjacent signal lines. 

To avoid this, single twisted pair cable (Type A as per 
IEC 61158) with an overall shield should be utilized from 
the transmitter into the controller. The cable twist, shield, 
and isolation must always be maintained as close as right up 
to the termination points. Also, spare wires must be termi- 
nated and all the devices and junction boxes must properly 
be grounded. 

FIELD INSTRUMENTATION 

It is good idea to try to minimize the number of instruments 
on the P&ID. The project team must justify the need of each 
and every instrument on the P&ID. 

Use smart and reliable field instrumentation for mea- 
suring process variables such as the pressures, tempera- 
tures, flows, and levels of various process fluids/equipment. 
Suitable protocols should be used for communicating to the 
control and shutdown systems. The sensor response time 
should ideally be less than 250ms. 


Smart transmitters differ a great deal from the conven- 
tional analog 4-20 mA setups. A smart transmitter uses a 
microprocessor that contains information on the sensor char- 
acteristics in response to pressure and temperature inputs. 
It compensates for sensor variations and provides real time 
diagnostics of itself to the maintenance team. 

For control application, FF instruments can be used. 
However, for shutdown applications where SIL ratings are 
necessary, HART instrumentation with minimum SIL 2 are 
generally selected. 

The metallurgy of wetted parts of a transmitter is selected 
depending on its application. Examples are the stainless 
steels, monel, and hastelloy C as per the requirement of the 
process. Besides the pressure and temperature ratings, one 
also needs to consider the environment. For sites close to 
marine environments, external corrosion issues will be dom- 
inant particularly if the temperatures are higher than 60°C. 
For example, in an application where the design temperature 
is 245°C and design pressure is 42 bar, one would have to 
consider Monel (since carbon steel is generally avoided for 
instrumentation items) flanges of 300°C rating. However, to 
take care of external corrosion in a marine environment, one 
step higher rating would be preferred to ensure long-term 
reliability. 

The transmitters are installed using impulse tubing or 
directly flanged onto the pipe lines. Measurement accuracy 
depends also upon proper installation of the transmitter and 
impulse piping and tubing. Mount the transmitters as close as 
possible to the pipes. Consider easy access, personal safety 
and that the installation has vibration-free environment. 

For security, write -protect the field device configuration 
in order to allow only authorized changes. 

IMPLEMENTATION OF CONTROL SYSTEMS 

At the implementation stages of the control systems the fol- 
lowing may be found useful: 

1 . Lay redundant fiber-optic cables through different routes. 

2. Carry out 100% loop checks by simulating from field. 
For logic check, it can be done either by simulating 
from field or from control room itself. 

3. Configure first out alarms/SOE. 

4. Carryout alarm routing to nominated consoles. It also 
important to ensure that alarms configured on DCS 
are really useful to the operator. If the alarm invites 
no action it may be reviewed and deleted. 

5. Alarm rationalization workshop should be conducted 
before the startup. After the startup, it can be fine 
tuned using the frequency analysis tool of the alarm 
management system. 

6. Check and record the noise on all fieldbus segments. 

7. Take at least two backups of all systems and keep 
them at different locations, one being remote. Also 
configure automatic backup of the system. 
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8. Store all licenses and activation disks. 

9. Integration with SAP for preventive maintenance 
planning using parameters such as equipment run 
hours and fault management. 

10. Protection of systems from viruses. 

11. Ensure all cable entries to field instrumentation and 
junction boxes are either side or bottom entry. If side 
entry ensure drip loop. 

12. Do not run signal cables along with power cables. 
Follow relevant IEC guidelines. Ensure quality of 
physical media such as FO cables, Fieldbus cables. Use 
shielded and twisted pair cable to get the best results. 

13. Use of spring type terminals rather than screwed type 
lead to lower “trips” due to “loose wiring.” 

Audits 

Invite audits by experts to ensure proper design, implemen- 
tation, and compliance. The auditors could be third parties 
and/or engineering consultant and/or another wing of same 
company and/or control system vendor experts. 

It is also very important to carryout audits of impulse 
tubing fitting for correct installations. 

People 

An integrated team of personnel from project, control sys- 
tem vendor, construction, and maintenance must be formed 
at construction stage itself. They must be involved during 
construction, SAP, loop, and logic checking. 


Site Changes 

Any site changes must be justified before implementing at 
the site. The initiator must raise a site modification request. 
Once approved by competent authority, only then it must 
be engineered. If the unit is already in operation by the 
time, a proper implementation risk assessment must be 
carried out and accepted before permit is given for the 
implementation. 

DISCLAIMER 

All views and observations made/expressed in this chapter 
are solely that of the author and the company is not responsi- 
ble for the substance, veracity and truthfulness of such views 
and statements. 
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